The Dangers Of Recycling Passwords

Zane Bond, Senior Director, Product Management at Keeper Security, explores…

Global Recycling Day is a day we can all agree is a much needed moment to celebrate the importance of being a bit more environmentally conscious and thinking about what we throw away and what we can reuse. Recycling is a key part of the global economy and it does a wonderful job in protecting our natural resources. Each year, the ‘seventh resource’ – recyclables – saves over 700 million tonnes in CO2 emissions and this is projected to increase to 1 billion tons by 2030.

From a technology perspective, it’s also incredibly important to reuse. We recycle hardware and we can even recycle disk space or data storage. So freeing up and reusing what we can. It is a great way of being efficient as well as being incredibly cost effective. But not all recycling is good. A huge issue we’re continuing to see in the cyber security world is the recycling and reuse of passwords.

Password reuse is one of the biggest password errors being made and it’s a fundamental reason why businesses continue to educate people on good password hygiene.

But why do people do it?

One of the main reasons is that the cognitive load of remembering 300 different passwords is not practical, and not everyone has a vault to generate secure passwords for them. In addition to this, many people can often underestimate the dangers of a breach. As we’ve seen over the past twelve to eighteen months, everyone and every industry is a potential target.

We’ve seen high street retailers being breached right the way through to gas pipelines – cyber threats are everywhere yet we still see people not taking them seriously. Another reason is people are often in the mindset that it’s better to have a password that is easy to remember rather than one that is hard to crack.

Cybercriminals know that password reuse is rampant, so whenever they get hold of a working password for one account, they attempt to use it on dozens, perhaps hundreds of different sites. Therefore, if one password gets breached, cybercriminals can use it to access all of the accounts associated with it.

This is known as credential stuffing. A cybercriminal will use a set of credentials to attempt to gain access to several accounts at once and with nearly two thirds of internet users reusing their passwords, you can see why it’s such a devastating attack. Cybercriminals enter the stolen credentials into thousands of websites over the course of a few minutes or several hours, compromising everything from social media accounts to proprietary company software and beyond.

So what can organisations do?

The first thing is using an enterprise password management system (EPM) that will ensure their EPM performs device verification checks before allowing employees to log in. If the device or IP address wasn’t previously registered with a user’s account, the login can be stopped. In addition, it’s important that a modern authentication system prevents enumeration attacks, where threat actors use automation to “iterate” through numeric or alpha-numeric sequences to determine the existence of an account.

In addition to device verification, 2 factor authentication (2FA) is a good security measure.  Enforcing 2FA prior to making attempts on the master password adds a layer of protection against brute force and credential stuffing attacks against a user’s vault, even if the device verification step is passed.

The best EPM platforms can audit and report on weak and re-used passwords. Some even alert when a password has been found on the Dark Web so that the user can replace it quickly with a new one.

Finally, continuing to educate users on good password hygiene. Making sure everyone in the business understands the dangers and risks of a password breach and what it could mean not just for them personally but for the wider business.